Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > MS SSL vulnerable

Reply
Thread Tools

MS SSL vulnerable

 
 
Roger_Nickel
Guest
Posts: n/a
 
      02-10-2004
The encryption library stores incoming data as fragments with a type
description including an integer value for data length. A large value
can wrap an integer pointer around and zero the memory heap size while
allowing the original large value to be passed to the memcpy instruction
and the heap is overwritten with arbitrary data. Microsoft have been
sitting on this for six months. There is a thread on Slashdot.

 
Reply With Quote
 
 
 
 
Nicholas Sherlock
Guest
Posts: n/a
 
      02-11-2004
Roger_Nickel wrote:
> The encryption library stores incoming data as fragments with a type
> description including an integer value for data length. A large value
> can wrap an integer pointer around and zero the memory heap size while
> allowing the original large value to be passed to the memcpy


Wrap around an integer!? You mean a fragment with a size greater than
2147483647 bytes? (2gb)

Cheers,
Nicholas Sherlock


 
Reply With Quote
 
 
 
 
Roger_Nickel
Guest
Posts: n/a
 
      02-11-2004
Nicholas Sherlock wrote:
> Roger_Nickel wrote:
>
>>The encryption library stores incoming data as fragments with a type
>>description including an integer value for data length. A large value
>>can wrap an integer pointer around and zero the memory heap size while
>>allowing the original large value to be passed to the memcpy

>
>
> Wrap around an integer!? You mean a fragment with a size greater than
> 2147483647 bytes? (2gb)
>
> Cheers,
> Nicholas Sherlock
>
>

Maybe not, my reading is that an integer pointer contained in the data
header and representing the data length is wrapped around when
incremented by the library but that the original (non-incremented)
value passed to memcpy keeps its original value. It may be that the
encryption library program does not even bother to check that the size
claimed in the header matches the size of the data fragment. Either way
it seems a stupid mistake, and in the encryption/authentication library
at that.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Symantec: Mozilla browsers more vulnerable than IE History Fan Firefox 2 09-21-2005 01:05 AM
Is .net vulnerable to this spam attack. vMike ASP .Net 7 09-14-2005 01:38 PM
Fully Patched IE Still Vulnerable TechNews Computer Support 1 06-14-2004 04:30 PM
Software suggestions? I am getting rid of MS security-vulnerable CRAP!! hugh jass Computer Support 1 09-26-2003 09:02 AM
AGS/MGS running 8.0(13) vulnerable? Hugo Drax Cisco 0 07-21-2003 06:49 AM



Advertisments